Corillian Corp.'s Greg Hughes, chief security executive, and Scott Hanselman, chief architect, insist they are...
no bandwagon jumpers. That's particularly true when it comes to security -- its banking and credit union customers depend on Corillian to deliver high-performing and secure online banking solutions.
So the decision to implement Microsoft Windows CardSpace (formerly InfoCard), an identity selector designed to allow users to provide their digital identity to online services in a simple, secure and trusted way, has been a work in progress for more than a year.
First, Corillian brought its security team to participate in an early beta at Microsoft. Then the company had its banking product engineering team work with Microsoft to do an early integration with its online banking application and authentication engine. And currently, the Hillsboro, Ore.-based company is prototyping with a few of its customers.
But the light is definitely green for moving forward. "We don't jump on bandwagons here. We require proof before we execute, and that's what we've done," Hughes said. "We wouldn't be adopting [Windows CardSpace] if we didn't think it provided an advantage to our customers, and a value for everyone. Our intent was to work with what was becoming obvious to us a significant capability enhancement in the area of user ID management."
He added: "CardSpace is a logical and extremely viable part of a layered security -- the defense in depth that financial institutions are doing today."
Windows CardSpace is one of four new technologies, along with Windows Presentation Foundation, Windows Communication Foundation and Windows Workflow Foundation, that are part of the Microsoft .NET Framework 3.0. CardSpace is part of Microsoft's implementation of an identity metasystem supported by open standard WS-* protocols. CardSpace supports WS-Security, WS-Secure Conversation, WS-SecurityPolicy, WS-MetadataExchange and WS-Trust.
With CardSpace, there is a security-hardened UI with a set of "cards." First, a user creates these cards with specific associated identity data. Then the user chooses which card to use for a particular application or Web site and chooses to release this information or not. Finally, encrypted security tokens are exchanged via a Web service to authenticate the user.
According to Hughes, there are several CardSpace features the company found attractive. "It puts control of the management and ownership of the pieces of information that make up the ID with the end user, where they belongs," he said, adding, "it enables stronger forms of asserting ID beyond user name and password. We're defense in depth here, so CardSpace gives us a way to do this which also is significantly stronger in many ways, because it's done in software."
Historically, online banking applications used user name and password as a way to authenticate users, Hughes said. Today, as the industry has evolved to increased security, most sites have multiple layers of authentication. Windows CardSpace strengthens authentication methods, Hughes said, by allowing users to control their identity information and only provide what is necessary for a particular site or application.
Corillian had already implemented strong methods of authentication in addition to user name and password, Hughes said, such as monitoring online behavior and requiring users to validate themselves if that behavior raised a red flag. The use of CardSpace replaces the user name password dynamic. "You have to have that virtual card. CardSpace puts a nice GUI on something that is relatively complex under the hood, but makes it so my mom can use it."
With CardSpace, he said, "the user can say, 'Here's my one or two pieces of information I'm willing to give you; ID me, then authenticate me.'" For example, a Web site that was just for chatting may only require minimal information, like city and name, to participate, and with CardSpace you can provide just those details.
Support of the WS* standards is also important, Hughes said. "These are open standards. This is not a Microsoft-only game. There are active implementations using those standards now, and the intent to support them seems across board. The idea of a standards-based way of doing this is critical."
The concept behind Windows CardSpace also fit well into Corillian's strategy, according to Hanselman.
"We were in good spot," he said. "Our banking application already had the notion of an alias ID where people had multiple IDs. Because CardSpace has a nice clean abstraction you can do the same thing, and it looks to our application like another complicated password. We can plug into the existing alias like a single sign-on application. People can enroll in CardSpace and remove username/password. It wasn't a huge deal, and I don't anticipate it would be for others."
Hughes acknowledged that customers do have concerns about the initial need to run Microsoft Internet Explorer and Windows to utilize CardSpace. However, that is already changing with the availability of a plug-in providing Firefox support for Windows CardSpace, announced at year-end.
"I run Firefox; it's not pretty, but it still works. I can log into CardSpace enabled sites using Firefox with .NET 3.0," Hughes said, adding that he expects Linux and Mac support to follow soon.
Hughes said some customers also fear Windows CardSpace is just a "second coming of Passport." However, said Hanselman, that's just the FUD factor: "[CardSpace] is really just opposite; it's fundamentally different." Unlike Passport, which itself stored information, Windows CardSpace puts the control of that information in the hands of the end user, he said.
For Corillian, working with CardSpace sooner rather than later will provide some competitive advantage, Hanselman said -- but only "in the sense that putting in airbags gave those vehicles an advantage until they were in everyone's car." Clearly, Corillian is expecting widespread adoption, and is getting out ahead of the curve.